[From nobody Mon Apr 6 16:05:07 2026 Received: (at submit) by bugs.debian.org; 30 Mar 2026 07:54:44 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-110.7 required=4.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FROMDEVELOPER, MD5_SHA1_SUM,PGPSIGNATURE,SPF_HELO_NONE,SPF_NONE,UNPARSEABLE_RELAY, USER_IN_DKIM_WELCOMELIST,WEBMAIL autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 15; hammy, 143; neutral, 35; spammy, 1. spammytokens:0.887-+--news hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin, 0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311, 0.000-+--H*RT:311, 0.000-+--H*RT:108 Return-path: <guilhem@debian.org> Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]:51258) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <guilhem@debian.org>) id 1w77SO-00FtPh-1z for submit@bugs.debian.org; Mon, 30 Mar 2026 07:54:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Content-Type:MIME-Version:Message-ID: Subject:To:From:Date:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:In-Reply-To:References; bh=fhbmsfqO+zKYZYSiM6CBVyaWjqWFzbe+PJJcgOR9Yks=; b=cdwDwd2s0QGgaEdn/16ZaL5XXw oasUc16EVD5LTsZ8M7YMWDT/QK5iWvviX9GHTcL7C1aJTkN1YySHwwPYzYn/T580oAXRdg90tPRfc gajn2yILfXk3oZ2PdqAgNH+uS+5zM8tRDBLixmJcgmcjkcaTsIY87Qh94d15eyc+H61wyRQuDKeA1 BHR0+ddjO37VL/bO0joIEA3WypPQ1SgJife90zNNkYvBU5G/Wa0CRIDi6kBTkvbzOjy3dCa2AXcvS m2t8LrQ0snODyOCIDHEiR6LZcGKwpxMbaZ1kBpvawZUXFuWMWjq5T7BZwHBepAT+6NLXoCivne9/d SSWhgJ0Q==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <guilhem@debian.org>) id 1w77SN-001IcJ-2I; Mon, 30 Mar 2026 07:54:42 +0000 Received: by localhost.localdomain (Postfix, from userid 1000) id 310E3420053; Mon, 30 Mar 2026 09:54:40 +0200 (CEST) Date: Mon, 30 Mar 2026 09:54:40 +0200 From: Guilhem Moulin <guilhem@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: roundcube: SVG Animate FUNCIRI Attribute Bypass Message-ID: <acosQA9eQ7LNp2Hc@debian.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="XpnphztEqQo/CPeh" Content-Disposition: inline X-Reportbug-Version: 13.2.0 X-Debian-User: guilhem Delivered-To: submit@bugs.debian.org --XpnphztEqQo/CPeh Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Source: roundcube Version: 1.6.14+dfsg-1 Severity: important Control: found -1 1.6.13+dfsg-0+deb13u1 Control: found -1 1.6.5+dfsg-1+deb12u7 Control: found -1 1.4.15+dfsg.1-1+deb11u7 Tags: security upstream X-Debbugs-Cc: Debian Security Team <team@security.debian.org> Roundcube webmail upstream has recently released 1.6.15 [0] which fixes the following security vulnerability: * SVG Animate FUNCIRI Attribute Bypass =E2=80=94 Remote Image Loading via fill/filter/stroke, reported by class_nzm. https://github.com/roundcube/roundcubemail/commit/9d18d524f3cc211003fc9= 9e2e54eed09a2f3da88 AFAIK no CVE ID has been assigned for this issues. I just requested one. --=20 Guilhem. [0] https://roundcube.net/news/2026/03/29/security-updates-1.7-rc6-1.6.15-1= =2E5.15 https://github.com/roundcube/roundcubemail/releases/tag/1.6.15 --XpnphztEqQo/CPeh Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmnKLD0ACgkQ05pJnDwh pVLi9hAAh+NKxUHLOw8SEZ8KRyKanrAoznC677VdCcPZTxbS3Zv+fjkry7NMjDIh prR+nLXfCDDaTGZfbaRQVnHUze2eqHzgHcHsyTwFGddTLgDGmQV5BK263yke8v13 8sxzr7PA0kC1qTw+cVT7mikd8KQ3q7WRvZbYBA4sGLmypuUkbaP+6W68ME+0ETnM RE259zV5+Io7xrQ9P8gKG9v622s8lihRnzXBxAGO81EJcU1ZjZuHA3kjtsplw8k9 t9g6hrDu0RHLiog1eqNNU1o67iGsGr1MBUjIcb2vdZ2t8L4rh8JEPvOCSMrMnn/a wct47/i4N5wotWh0NCg6Xt5sW3w7VNPSZ+/DOUGLKHQ7GyeT0/gbbESdAyA+wyPC 2WpuiPXGOcIoDeZNEc0pWsJgTAEvwOssl6O7SoL0aG2xCAVrMVhP2yawW7IkVVLI VxWafi1J+6SkxRYqQ3Y3HtNaXeH0vZKV0y3bC3e5nfbYRCmHRE/48nb/p9SZBOox DlLeUK+llkS4AD8dkDTgy5EsmcmTjKv3ICpJHxdM4B7pvQMvl4mV4/Rlayq7tJkv zSijvmiuEem0HEAH5wk31EdmprEDl2RpnnX90hB8JYfZCN5/LUkmhiYF7vUxPAg1 jaGt9+NWgXZs6s98vsO8mTZCxVRNhLRP2pXh89YLfHaWENPubOU= =zckH -----END PGP SIGNATURE----- --XpnphztEqQo/CPeh-- ]